Data privacy is a big deal right now. Facebook is the latest company facing lawsuits and a PR nightmare related to the way they handled their customer’s data. However, Facebook is not the only company that needs to re-think its privacy related policies. The current data issues that Facebook is facing places the spotlight on an issue that has been brewing for some time.

Privacy and control over what companies do with personal information is a common concern held by people around the world, from all walks of life and all political persuasions. While there are differing views on whose responsibility it is to protect data, most agree that there should be some safety measures taken. In the US, most states have some laws related to data breach and data security but the US does not have a comprehensive federal data security law. The European Union has enacted a stringent regulation called the General Data Protection Regulation (GDPR). The GDPR goes into effect in May 2018 and places strict rules on what companies can do with the personal data of EU residents. Read here about the 5 steps your company needs to take before May.

GDPR requires companies to closely monitor and control their collection of personal data of EU residents. “Personal Data” is broadly defined and includes details such as name, date of birth, social security number, financial information, address, email addresses, IP addresses, sexual orientation, and religion. Under the GDPR, individuals have a right to opt in to having their data collected, to know what data is being collected, why it is being collected, who is receiving it, to request copies of all personal data a company has of theirs, to opt out of the data collection, and to have it deleted completely from the company’s records. In order to comply with these and other requirements, companies need to have processes and policies in place to act quickly. Non-compliance can result in massive fines of up to 20 million Euros or 4% of the company’s global turnover, whichever is higher, per breach. These are serious consequences and US business need to be prepared. While Facebook has been highly criticized for the Cambridge Analytica data scandal, their recent changes regarding privacy have likely been in the works for some time. Like other businesses, Facebook has to be compliant with the GDPR by the May 2018 deadline.

The GDPR is an EU regulation but that doesn’t mean that US businesses don’t have anything to worry about. Even companies without a physical presence in the EU could be liable for violations of the GDPR. Like Facebook, businesses that collect personal data from any EU resident need to make sure they are compliant with the GDPR by May. The recent PR scandal Facebook is dealing with highlights the public’s demand for transparency and providing greater control to consumers.

Facebook’s troubles and the impending strict regulations of the GDPR should be a sign for all companies to take a second look at the way they collect and utilize personal data. Just this week, Pinterest introduced a new Privacy Policy and Terms of Service in order to comply with the new European privacy laws. Other companies are following suit. For more information on how to become GDPR compliant or begin the process of creating a comprehensive data privacy policy, feel free to contact us.

What the GDPR Requires: Core Obligations for US Businesses

The GDPR, which took effect on May 25, 2018, applies to any organization that processes the personal data of individuals in the EU, regardless of where the organization itself is located. This extra-territorial scope is one of the GDPR’s most significant features. A US-based e-commerce company that sells products to EU residents, a US software company that provides services to EU businesses, and a US media company that collects data from EU visitors through tracking cookies — all are subject to the GDPR.

The GDPR establishes seven foundational principles for lawful data processing: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. These principles must guide every data processing activity. A business that collects more personal data than it needs for its stated purposes violates the data minimization principle. A business that retains data indefinitely without a legitimate retention schedule violates the storage limitation principle.

The GDPR also requires a lawful basis for every data processing activity. The six available lawful bases are: consent, contract performance, compliance with a legal obligation, protection of vital interests, public interest, and legitimate interests. For most US businesses operating Facebook advertising and social media marketing, the legitimate interests basis or consent is typically most relevant. Consent under the GDPR must be freely given, specific, informed, and unambiguous — pre-ticked boxes and vague blanket consents do not qualify.

Facebook Custom Audiences and GDPR Compliance

Facebook’s advertising platform allows businesses to upload customer email lists to create “Custom Audiences” for targeted advertising. Under the GDPR, uploading customer personal data to Facebook for advertising purposes requires a valid lawful basis. If the customers are EU residents and the business is relying on consent as the lawful basis, those customers must have specifically consented to their data being shared with Facebook for advertising purposes — a consent that is entirely separate from consenting to receive marketing emails from the business itself.

The Irish Data Protection Commission — Facebook’s lead supervisory authority in the EU — has issued multiple enforcement decisions against Meta (Facebook’s parent company) with penalties reaching into the hundreds of millions of euros. These decisions highlight the legal risk associated with behavioral advertising and data sharing on Facebook’s platform and serve as a warning to businesses that use Facebook’s advertising tools without carefully evaluating GDPR compliance.

Data Processing Agreements and Vendor Management

The GDPR requires businesses to have written Data Processing Agreements (DPAs) in place with all vendors and service providers that process personal data on the business’s behalf. Under the GDPR framework, the business is the “data controller” — the entity that determines the purposes and means of processing — and the vendor is the “data processor.” The DPA must specify the subject matter and duration of processing, the nature and purpose of processing, the type of personal data involved, and the obligations and rights of the controller.

Many major US technology vendors — including Salesforce, HubSpot, Mailchimp, and Google — provide standard DPAs for their business customers. US businesses using these platforms to process data from EU residents must execute these DPAs and ensure they are current. The GDPR imposes liability on data controllers for the GDPR violations of their processors if the controller failed to ensure the processor provided sufficient guarantees of compliance.

The US Privacy Law Landscape Post-GDPR

The GDPR has had a significant influence on US privacy law. California enacted the California Consumer Privacy Act (CCPA) in 2018, which took effect January 1, 2020, and was subsequently strengthened by the California Privacy Rights Act (CPRA), effective January 1, 2023. The CPRA established a dedicated privacy enforcement agency — the California Privacy Protection Agency (CPPA) — modeled in part on EU data protection authorities.

Multiple other states have followed California’s lead, enacting comprehensive state privacy laws including Virginia’s Consumer Data Protection Act, Colorado’s Privacy Act, Connecticut’s Data Privacy Act, and Texas’s Data Privacy and Security Act. While the US still lacks a comprehensive federal privacy law, the state-by-state patchwork of regulations has made privacy compliance a significant operational challenge for businesses operating across multiple states.

US businesses that began their GDPR compliance journey have a significant head start on complying with US state privacy laws, as the substantive obligations — transparency, access rights, deletion rights, opt-out of certain uses, data minimization — are broadly similar to those under the GDPR, though the specific requirements differ in important ways.

For more information on how to become GDPR compliant or begin the process of creating a comprehensive data privacy policy, contact the Internet lawyers at Revision Legal at 231-714-0100.